SERVICE 3702/udp

WS-Discovery

aka wsd, onvif-discovery

Web Services Dynamic Discovery on 3702/udp — how Windows, printers and ONVIF cameras announce themselves. Enumerate networked devices passively; the protocol is also a potent DDoS amplifier.

service discovery udp

Ports

Port	Proto	Notes
`3702`	udp	WS-Discovery (multicast)

Fingerprint

Devices answer a Probe multicast with their service endpoints
Common on ONVIF cameras, network printers, Windows hosts

Exploitation primitives

Send a Probe to discover devices and their service URLs (cameras, printers)
Feeds follow-up attacks (RTSP for cameras, raw printing for printers)
Reflective amplification DDoS vector when internet-exposed

Overview

WS-Discovery on 3702/udp is multicast device discovery. It’s a quick passive inventory of cameras, printers and Windows machines on a segment.

Enumeration

Probe for devices with WSDiscovery tooling:

python3 wsdd-discover.py --interface eth0

nmap broadcast discovery:

sudo nmap --script broadcast-ws-discovery

Hardening

Block 3702/udp at segment boundaries and disable WSD on devices that don’t need auto-discovery.

References

HackTricks WS-Discovery